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Abstract. Several key agreement protocols are based on the fol- 
lowing Generalized Conjugacy Search Problem: Find, given ele- 
ments 

bi, . . . ,bn and xbix~^, . . . , xbnX~^ 
in a nonabelian group G, the conjugator x. In the case of sub- 
groups of the braid group B^, Hughes and Tannenbaum suggested 
a length-based approach to finding x. Since the introduction of this 
approach, its effectiveness and successfulness were debated. 

We introduce several effective realizations of this approach. In 
particular, a length function is defined on which possesses sig- 
nificantly better properties than the natural length associated to 
the Garside normal form. Wc give experimental results concern- 
ing the success probability of this approach, which suggest that an 
unfeasible computational power is required for this method to suc- 
cessfully solve the Generalized Conjugacy Search Problem when 
its parameters are as in existing protocols. 



1. Introduction 

Assume that G is a nonabelian group. The following problem has a 
long history and many applications (see [T2]). 

Problem 1.1 (Generalized Conjugacy Search Problem). Given ele- 
ments bi,...,bn G G and their conjugations by an unknown element 
X & G, 

xbix~^ , xb2X~^ , . . . , xbnX~^, 

find X (or any element x (z G such that xbiX~^ = xbiX~^ for i = 
l,...,n.) 
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In the sequel, we will not make any distinction between the actual 
conjugator x and any other conjugator x yielding the same results. 

The hraid group Bn is the group generated by the — 1 Artin 
generators ai, . . . , aN-i, with the relations 

(TjCTj = (Jjai when |« — j| > 1 

Information on the basic algorithms in the braid group is available in 
[3] and the references therein. We will focus on the case where G is the 
subgroup of i?7v generated by given elements ai, . . . , am- A solution 
of the generalized conjugacy problem in this case immediately implies 
the vulnerability of several cryptosystems introduced in [Il|15], and the 
methods of solution may be applicable to several other cryptosystems 
from PHH]. 

History, motivation, and related work. The length-based approach 
to the Conjugacy Problem was suggested by Hughes and Tannenbaum 
in [H], as a potential attack on the cryptosystems introduced in 
Based on [H], Garrett [10] has doubted the security of these cryptosys- 
tems. But soon afterwards he published an errata withdrawing these 
doubts (see [12] )• The reason was that no known realization of Hughes 
and Tannenbaum's scheme (i.e., definition of actual, effective length 
functions) was given before, and in particular, the success probability 
of this approach could not be estimated. The purpose of the current pa- 
per is to introduce and compare several such realizations, and provide 
actual success probabilities for specific parameters. 

We stress that we are not interested here in the best possible solution 
of the generalized conjugacy problem, but rather in settling the debate 
concerning the applicability of the Hughes- Tannenbaum length-based 
approach to the problem. 

Other approaches appear in [13], [T7| and turn out more successful. 
However, the length-based approach has several advantages: First, one 
does not need to know the conjugated element in order to find the 
conjugator using this approach, and second, it essentially deals with 
arbitrary equations. The current paper gives the foundations of this 
approach, on which we build in [9], where an extension of this approach 
is suggested and good success rates are achieved for arbitrary equations. 

Some of the citations of the present paper (see [2| [5| fTT | [T6l fT9ll20| |2T | 
|6]) refer to its preliminary draft ^8], which contains much more details 
and examples. We have tried to make the present version concise. 

Length-based attacks. Throughout this paper we make the follow- 
ing assumptions: 
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(1) The conjugator x belongs to a given finitely generated subgroup 
oi Bn, whose generators 

{oi, . . . , Gjn, , • • • , } 

are given, 

(2) X was generated as a product of a fixed, known number of gen- 
erators af^ chosen at random from the set of generators; 

(3) We are given elements 

xbix~^, . . . , xbnX~^ 

where each 6j G i?iv is generated by some (nontrivial) random 

process, and we wish to find x. 

We try to find the conjugator x by using the property that for an 
appropriate, efficiently computable length function i defined on Bn, 
l{a'^ha) is usually greater than l{h) for elements a, 6 e B^. Therefore, 
we try to reveal x by peeling off generator after generator from the 
given braid elements xhix~^ , . . . , xhnX~^: Assume that 

gi- g2---gk, 

where each Qi is a generator. We fix some linear order ^ on the set of 
all possible n-tuples of lengths, and choose a generator g for which the 
lengths vector 

{t{g'^xhix'^g), t{g'^ xhnX~^ g)) 

is minimal with respect to ^. With some nontrivial probability, g is 
equal to gi (or at least, x can be rewritten as a product of k or fewer 
generators such that g is the first generator in this product), so that 
g~^x = (^2 ■ ■ ■ S'fc is a product of fewer generators and we may continue 
this way, until we get all gis forming x. 

If one is capable of doing 0((2m)*) computations, it is better to check 
all possibilities of gi - • ■ gt by peeling oH gi - ■ ■ gt from x and choosing 
the i-tuple which yielded the minimal lengths vector. We will call this 
approach look ahead of depth t. 

In order for any of the above to be meaningful, we must define the 
length function ^ and the linear ordering =:<;. We will consider several 
candidates for these. 

2. Realizations of the length function 

We assume that each generator is obtained by taking a product of 
some fixed number of (randomly chosen) Artin generators, to whom we 
refer as the "length" of the generators. Unless otherwise stated, in all 
of our experiments the length of each element Oj is 10. By a generator 
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we mean either an element Oj, i = 1, . . . ,m, or its inverse. We will 
(informally) write = n when we mean that x was generated by a 
product of n generators chosen at random (with uniform distribution) 
from the list of 2m generators Oi, . . . , a^, a^^, • • • , 

2.1. The length function i. The Garside normal form of an element 
w G Bn is the unique presentation of w in the form /S."^' -pi ■ ■ - pk, where 
r > is minimal and pi, . . . ,pk are permutation braids in left canonical 
form [3]. Using the Garside normal form, one can assign a "length" to 
each w G -Bat efficiently [3]. 

Definition 2.1. The Garside length of an element w ^ Bn, iQ{w), is 
the number of Artin generators needed to write w in its Garside normal 
form. If the Garside normal form of w is A^'' ■ pi- ■ -pk, then 




where \p\ denotes the length of the permutation p^ 

The problem with this function is that it is not close enough to 
being monotone with |x|: One has to multiply many generators before 
an increase in the length function is observed. The left part of Figure [T] 
shows, for a fixed word b, ici^bx'^) as a function of Its right part 
shows the average of iG{xbx~^) computed over 1200 random words. 



Figure 1. The growth of iciui): Specific case (left) and 
average growth (right) 

We wish to have a length function that is closer to being monotone. 
For each permutation braid p, p := p~^Ai<^ is a permutation braid. 

^Thc length of a permutation p is the number of order distortions in p, that is, 
pairs such that i < j and p(i) > p{j). 
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Thus, if w = A^*^' ■ pi - ■ - pk and r > 0, we can replace A^^i with 
Pi^ to get w = A'^^^~^^ ■ Pi^P2 ■ ■ - Pk- Now, Ajv almost commutes with 
any permutation braid: For each permutation braid q there exists a 
permutation braid q' such that \q'\ = \q\ and qAjy = Ajyq', that is, 
Aj/-q-^ = {q')-^Ajl. Consequently, w = A"^''"^^ ■ {p[)-^Ajf^p2---pk, 
and we can replace A]^^p2 with P2^ as before. We iterate this process 
as much as possible, to get a presentation 

^ ^ hN^"''\p\)-' ■ ■ ■ iPk)-' k<r 

\{p'iy^ ■ ■ ■ {p'rV^ ■ Pr+l ■ ■ ■ Pk r<k 

In each case, w has the form a~^b where a, b are positive braid words 
or the identity element, and we define the reduced Garside length to be 
the sum of the length of a and the length of foj^ This is equivalent to 
the following. 

Definition 2.2. Let w = A^'' ■ pi ■ ■ ■ pk he the Garside normal form of 
w. The Reduced Garside length of w is defined by 

min(r,A:) 
i=l 

This function turns out much closer to monotone than - see Figure 

m 



Figure 2. The growth of £rg(w): Specific case (left) 
and average growth (right) 



The length of a positive braid word is well defined to be the number of generators 
in its presentation. 
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2.2. Statistical comparison of the length functions. The purpose 
of the length function C. is to distinguish between the case |X| = k — 1 
(after peeling off a correct generator) and \X\ = k + 1 (after trying 
to peel off a wrong generator). Thus, a natural measure for the effec- 
tiveness of the length function is the distance in standard deviations 
between i{X') and i{X) when \X'\ = \X\ + 2. 

We fixed a random set of 20 generators in Sgi, and computed (an 
approximation of) E{i{X') - i{X))/ ^V{i{X') - i{X)) as a function 
of |X| for \X\ = 1, . . . , 100. (Roughly speaking, when n independent 
samples are added, the effectiveness of the comparison is ^/n times this 
number.) We did that for both and £rg. The results appear in 
Figure [3} and show that the score for £rg is significantly higher. This 
phenomenon is typical - we have checked several random subgroups of 
the braid group and all of them exhibited the same behavior. 



Figure 3. Distance between right and wrong in stan- 
dard deviations. 

More evidence for the superiority of £rg over ic will be given in the 
following sections. 

3. Realizations of the linear ordering ^ 

Recall that after peeling off a candidate for a generator and evalu- 
ating the resulting lengths, we need to compare the vectors of lengths 
according to some linear ordering ^, and choose a generator which 
gave a minimal vector with respect to =:^. We tested two natural linear 
orderings. 
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The most natural approach is to take the average of the lengths in 
the vector. This is equivalent to the following. 

Definition 3.1 (Average based linear ordering). 



With this at hand, we have performed the following experiment. We 
fixed a subgroup of Bgi generated by m = 20 generators. Then we 
chose at random 200 elements of the form xwj which share the same 
leading prefix x, and for each generator af^ we computed i{af^xwj) 
for each j (and i = ic or £rg)- For each of these two length functions 
i, we have sorted the resulting length vectors according to and 
checked the position of the "correct" generator, i.e., the generator which 
appeared leftmost in our computation of the wordj^ We repeated the 
computations for 138 distinct X's, and for |X| =40 and |X| = 100. For 
an ideal length function (and an ideal linear ordering =^), the correct 
generator would always be ranked first, and the results in Figure |4] show 
that £rg is closer to this ideal than ic: In the graphs, we show the 
distribution (lower part of the graph) and the accumulated distribution 
(upper part of the graph) of the position of the correct generator, for 
each of the length functions. 



In principle there could be more than one "correct" generator, but when the 
generators are long enough this is unlikely to happen often. 



n 



n 





Figure 4. Position of correct generator ^Q and £rg 
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However, it turns out that even for the better length function £r,G; the 
task of identifying the correct generator is not trivial. To demonstrate 
this, we selected at random one of the cases of x from the previous 
experiment, and computed over the given 200 samples the distribution 
of £rg for each generator. Figure |5] shows the distribution for the 
correct generator (in boldface) and of arbitrarily chosen 7 out of the 
remaining 40 generators (for an aesthetic reason we did not plot all 
40). 



Figure 5. Actual distribution. 

While the correct distribution tends more to the left (i.e., to smaller 
values), there is a large overlap with the rest of the distributions. We 
must emphasize that while Figure [5] demonstrates the typical case, 
there exist cases where the distribution of the correct generator is not 
the leftmost. In these cases the current method is doomed to fail, no 
matter how many conjugations we are given for the same conjugator. 

Finally, for the sake of comparison, we define one more natural linear 
ordering of the space of length vectors. We expect the correct generator 
to yield the shortest length more often than the other generators. This 
motivates the following definition. 

Definition 3.2 (Majority based linear ordering). Consider the set of 
all obtained length vectors. For each i = l,...,n, consider the ith 
coordinate of each vector and let /ij denote the minimum of all these 
ith coordinate values. Then 



(«!,...,«„) ^^^j (/?!,..., if \{i ■■ ai = > \{i : Pi = 
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In the following section we compare the success probabilities of the 
length-based approach using the two length functions and two linear 
orderings defined in this section. 

4. Experimental results for the conjugacy problem 

4.1. The probability of obtaining the correct generator. In this 
experiment we determine the probability that the correct generator is 
indeed the minimal with respect to the length function ^ and linear or- 
dering ^ used. The choice of parameters in the experiments throughout 
the paper are usually motivated by the choices given in [T], which are 
believed there to make the generalized conjugacy problem difficult. 

We made 200 experiments using the following parameters: = 81, 
n and m (the number of a^'s and hiS, respectively) are both 20, the 
elements and hi are products of 10 random Artin generators, and 
X is the product of 5, 10, 20, 40, 60, or 100 random generators af^, 
respectively. We tested look ahead depth t = 1, 2. In each cell of Table 
[T| below the probability that the correct generator is first, we wrote 
the probability of its being second. 





5 


10 


20 


40 


60 


100 




0.56 
0.16 


0.478 
0.188 


0.322 
0.1 


0.267 
0.167 


0.233 
0.089 


0.156 
0.1 




0.43 
0.14 


0.344 
0.178 


0.222 
0.144 


0.244 
0.122 


0.178 
0.1 


0.156 
0.044 


^RG, =^Av> ^ = 1 


0.74 
0.13 


0.589 
0.233 


0.567 
0.189 


0.456 
0.122 


0.311 
0.167 


0.233 
0.167 


^RG, ^Maj) ^ = 1 


0.71 
0.15 


0.578 
0.267 


0.578 
0.133 


0.433 
0.089 


0.289 
0.167 


0.211 
0.167 


£g, ^av,^ = 2 


0.433 
0.156 


0.287 
0.08 


0.111 
0.087 


0.1 
0.038 


0.114 
0.055 


0.099 
0.035 


^G, =^Maj' ^ = 2 


0.25 
0.033 


0.147 
0.036 


0.103 
0.024 


0.058 
0.008 


0.086 
0.023 


0.03 
0.03 


^RG; ^Av' ^ = 2 


0.578 
0.183 


0.526 
0.127 


0.333 
0.135 


0.242 
0.138 


0.2 
0.105 


0.168 
0.05 


^RG, ^Maj' ^ = 2 


0.511 
0.139 


0.482 
0.139 


0.31 
0.127 


0.242 
0.104 


0.186 
0.091 


0.149 
0.089 



Table 1. The probability that the correct generator is 



first or second 

Table [T] shows that the Reduced Garside length function £rg is sig- 
nificantly better than the standard Garside length function ^Q. Also, 
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observe that using look ahead depth 2 is preferable to using look ahead 
depth 1 twice (to see this, square the probabilities for t = 1). Another 
natural approach to using look ahead t > 1 is to consider only the first 
generator (of the word with the least score) as correct, and ignore the 
rest of the generators. This means that in the algorithm for finding 
X, we peel off only one generator at a time despite the fact that we 
used look ahead t > 1. This gives better success rates than just taking 
t = 1, and our experiments indicate that this approach may be slightly 
better than that of taking the whole look ahead word, but we did not 
extensively check this conjecture since the differences were not signifi- 
cant. Some other variants of the usage of look ahead are mentioned in 
0. 

4.2. Nonsymmetric parameters. This experiment checks the effect 
on the probability of success when the lengths of the generators and 
elements bi (in terms of Artin generators) are not equal. 

We tested the probability of success for A^ = 81,n = m = 20, look 
ahead depth t = 2, and |x| = 30. 





length of bi 


^RG 




a,; of length: 


ai of length: 


5 


10 


15 


20 


25 


5 


10 


15 


20 


25 




5 


44 


82 


124 


134 


156 


32 


51 


81 


102 


115 


10 


59 


97 


113 


141 


150 


56 


69 


79 


91 


96 


15 


56 


91 


123 


136 


141 


31 


53 


75 


93 


105 


20 


49 


77 


115 


132 


149 


31 


49 


77 


86 


107 


25 


56 


84 


102 


127 


141 


42 


59 


60 


91 


100 




5 


39 


70 


121 


134 


160 


28 


41 


66 


84 


87 


10 


57 


97 


114 


140 


156 


49 


49 


58 


83 


82 


15 


50 


85 


118 


136 


144 


19 


45 


59 


73 


89 


20 


48 


80 


116 


133 


149 


39 


41 


52 


73 


86 


25 


60 


89 


101 


141 


152 


39 


50 


56 


72 


78 


Table 2. Number of success ou 


t of 200 tries for dif 


'erent lengths 



As expected. Table [2] shows that if the length of the elements 
increases then so does the probability to find a correct generator (this 
is like making look ahead deeper without exponentially increasing the 
number of candidates for the prefix of x). On the other hand, the effect 
of the length of the elements bi is not significant. 

4.3. Increasing the number of given conjugates. Several experi- 
ments showed that increasing the number n of given elements xbiX^^ 
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from few (about 10) to many (about 3000) did not significantly increase 
the probability that the correct generator appears first. 

In an instance of the problem the length function ^ and the (un- 
known) element x are fixed, and this defines for each generator g the 
distribution Fg of i{g~^xbx~^g) over random words 6 of a fixed given 
length (in terms of Artin generators). For each g, we have a sample 
of the distribution Fg for each given equation. In most cases, the ex- 
pectancy of Fg where g is the first letter in x is smaller than the other 
expectancies (see Section |3]), and then enough samples will allow us to 
identify g. However in some cases the minimal expectancy is obtained 
for another generator. In these cases adding more samples cannot help, 
and so the probability to find the correct generator does not tend to 1 
when we increase the number of samples. 

Another important observation is that few samples (about 15) are 
needed in order to get very close to the expectancy of the distributions 
Fg. In light of the preceding paragraph, the outcome of the algorithm 
can be decided after a relatively small number of samples (i.e., given 
conjugates) are collected. In particular, the success probability does 
not significantly improve when n is large. 

4.4. Finding x. The simplest way to try and obtain all generators 
of X and therefore x would be to use any of the above algorithms 
iteratively, at each step peeling off the first generator. In the following 
experiment, the probability to find all of x this way was tested. Here 
too, the lengths of the a^'s and 5j's were 10 Artin generators. We made 
500 experiments, using a weaker variant of £rg as the length function, 
and with no look ahead {t = 1). We repeated this for -B4, ■ ■ ■ ,-820 
and X of lengths 2 to 18 generators af^. The result is the number of 
successes out of 500 tries. 



N 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


16 


17 


18 


4 


429 


361 


289 


262 


204 


181 


137 


120 


107 


94 


77 


52 


50 


37 


38 


25 


31 


5 


436 


378 


327 


269 


215 


185 


173 


120 


119 


106 


75 


67 


56 




44 




28 


6 


446 




324 


282 


243 




183 


154 


115 


107 


88 


68 


65 


59 


36 


47 




7 


453 


400 


330 


287 




208 


176 


142 


126 


97 


74 


69 


50 




35 


39 


33 


8 


440 


396 


275 


230 


198 


149 


137 


116 


103 


63 


57 


51 


39 


34 


37 


25 


23 


9 


463 


404 


334 


276 


208 


180 


148 


121 


86 


70 


73 


41 


44 


29 


29 


17 


15 


10 


461 


383 


328 


274 


221 


165 


156 


113 


83 


71 


60 


46 


42 


30 


26 


10 


17 


14 


460 


377 


295 


244 




140 


108 


79 


54 


41 


33 


19 


14 


14 


8 


9 


8 


17 


453 


365 


293 


221 


167 


118 


89 


56 


56 


33 


16 


17 


10 


4 


2 


4 




20 


455 


373 


305 


226 


153 




73 


43 


36 


21 


11 




8 




3 


3 


2 



Table 3. Number of successes for finding x out of 500 



tries 



The results suggest that while we already obtain solutions (with non- 
trivial probability) for some nontrivial parameters, we must extend the 
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approach in order to consider harder parameters. A successful exten- 
sion is discussed in [9]. In the sequel we discuss some other possible 
extensions. 



5. Possible improvements and conclusions 

One approach is to create new conjugates by multiplying any number 
of existing ones (or their inverses). In fact, if B is the group generated 
by 6i, . . . , 6„, then the group generated by xbix~^, . . . , xbnX~^ is xBx~^. 



By Section 4.3, this does not help much. 

The algorithm can be randomized by conjugating the given elements 
xbix~^, . . . , xbnX~^ by a random (known) element ?/ G (ai, . . . , a^), so 
that running it several times increases the success probability. The 
problem with this approach is that the conjugator becomes longer and 
therefore the probability of success in each single case decreases. 

Our experiments showed that the peeling off process often enters a 
loop, that is, a stage to which we return every several steps. This can 
sometimes be solved by conjugating with a random known element after 
we enter the loop. We also tried to change the length function or the 
linear ordering when we enter a loop. These approaches were successful 
for small parameters but did not result in a significant improvement 
for large parameters. 

We did not try approaches of learning algorithms, neural networks, 
etc. A simple example is to try and learn the distribution of the lengths 
for the correct generator and define the linear ordering according to the 
likelihood test. 

The purpose of this paper was to check the applicability of Hughes 
and Tannenbaum's length-based approach against the key agreement 
protocols introduced in Our results suggest that this approach 

requires an unfeasible computational power in order to solve the gener- 
alized conjugacy search problem for the parameters used in these pro- 
tocols. However, this method has natural extensions which can make it 
applicable: In [9] we suggest one particularly successful extension, and 
it turns out that it can solve these and other problems with standard 
computational power. 
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